Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX Access-list question

The following access-list works on a cisco router, however, the list will not work on the PIX (I change the wildcard mask to a subnet mask for the PIX).

Router (works)

access-list test permit tcp 192.168.1.50 0.0.0.5 host 10.10.10.1 eq 80

PIX (does not work)

access-list test permit tcp 192.168.1.50 0.0.0.10 host 10.10.10.1 eq 80

I receive the following error message on the PIX:

ERROR: Source address,mask <192.168.1.50, 0.0.0.10> doesn't pair

Is there a way to group IP addresses together on the PIX in a similar fashion as Cisco IOS?

Thanks You!

Domo Arigato!

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: PIX Access-list question

You can only use

192.168.1.48 255.255.255.248 for the source or if this are to many hosts you have to insert a separate entry for each source.

Of course you can deny host 192.168.1.49 and

allow the others permit 192.168.1.48 255.255.255.248

6 REPLIES
New Member

Re: PIX Access-list question

The command is:

access-list test permit tcp 192.168.1.50 (subnet mask) host 10.10.10.1 eq 80

New Member

Re: PIX Access-list question

Goal is to create single access-list statement that covers several hosts.

Example:

Permit hosts 192.168.1.50 - 192.168.1.54 to access web server on host 10.10.10.1.

Can a single access-list statment be created that permits all five of the above hosts port 80 access to the web server on host 10.10.10.1

Trying to avoid entering an access-list statement for each host needing access to web server.

Thanks.

Silver

Re: PIX Access-list question

What pix os version are you running? Recent versions support an object group concept, where you can group associated things to do exactly what you seek.

Matt

New Member

Re: PIX Access-list question

Version 6.2(2)

Thanks for the input on object groups. I'll do more research and see if object groups offer a viable solution.

Thanks-

New Member

Re: PIX Access-list question

You can only use

192.168.1.48 255.255.255.248 for the source or if this are to many hosts you have to insert a separate entry for each source.

Of course you can deny host 192.168.1.49 and

allow the others permit 192.168.1.48 255.255.255.248

New Member

Re: PIX Access-list question

The PIX uses subnet masks, not wildcard masks, that's why you get the address, mask doesn't pair error...

632
Views
0
Helpful
6
Replies
CreatePlease login to create content